I have been trying to do some digging out there to find out if anyone has seen a trend with receiving devices such as factory machines, strip chart systems or Ultrasound machines that run embedded XP, containing viruses. As in they came that way from the manufacturer/supplier. I am wondering if someone out there is using it as a vector to spread worms by pre-infecting a flash image of one of these devices at the supplier level. Maybe compromising them and swapping in their production flash images with altered versions containing the malware.

If you think about it, it would be a nice way to build a botnet. Smaller companies may not even be checking their systems when sending them out. You know that your bot will end up somewhere useful whether it be in a hospital, lab or factory. I asked the question on twitter but didn't get much feedback.

I know there have been concerns about supply chain attacks, but i'm thinking there hasnt been a large case of them. Honestly, if someone wanted to do it, they would want to build in a delay, so the machines dont start spitting packets as soon as they are connected to the internet, if it was my network, I would hope I would catch it.

Ah but what if the small vendor does not have an IPS in place or does not monitor it and doesn't see the traffic? Or if they do not do much network testing on the device before shipping out?

Shoot my last job which was a HIPAA, they had an IPS but damn thing was even monitoring. It was just sitting there passing traffic for 2 years. So for a company that isn't regulated by HIPAA or PCI, I can't imagine if they even have an IPS installed.

Well, you're making the assumption that a company would have an IDS/IPS without a regulation stating they have too. I've worked with many companies who had no regulations of that sort and still had an IDS/IPS in place. My guess is, depending on how many systems they had in place, they'd notice some speed issues on their network. Also, perhaps notice a slowdown on the machine as they use it or seeing it doing things that would not be normal.

In the scenario OP described, there likely wouldn't be many/any IDS/IPS alerts if done properly. Those systems aren't going to identify the attack since it will have occurred prior to the systems arriving at the facility. Yes, it will probably be obvious if all these systems start sending spam as fast as they can. On the other hand, what if they only send an occasional email or make a sporadic HTTPS connection that sends logged key strokes or other information that's been harvested from the system?

Now, if you're denying all outbound except mail from the mail server and web access from the proxy server, you could potentially notice this in the firewall logs. However, this is likely one of those things that's obvious if you're looking for it, but in reality, it would be closer to finding a needle in a haystack. What if ICMP or DNS is used as a transport instead? There are many scenarios where a slow, subtle attack such as this would be extremely difficult to identify, especially on a busy network.

Maybe you guys have had much better experiences than I have, but I know something like this would go completely undetected for a long period of time at many organizations, regardless of their size. There are certainly ways something like this could be combated effectively, but I think you're making some risky assumptions when it comes to how well organizations will actually be able to do that.

Exactly ajohnson! So from the vendor side, lets say I tested my production image enough times to know that it is solid. Attacker slips in replaces the image I've been using with the bad image. Again nothing will happen until that image gets loaded into a new system and shipped out. The only thing I am concerned with as the vendor is that the OS functions correctly with the machine. I fire it up, software works and machine works and I never connect it to the network because I only have that option for either maintenance or remote support. As the "advanced" attacker, I am just hoping this image makes it onto some useful devices and maybe into a network with useful data. I'm patient and have probably done this to a number of similar vendors. So now I just wait for those reverse shells to report in or for my bots to talk back to my CnC Servers.

Now to the customer, who is regulator or has IP they hold very valuable. They most likely have all the network detection tools in place. We get this new device and think nothing of the embedded OS and put it out into the shop. Again never connecting the network since we do not require it and we do not allow such systems access to the production network unless required by the vendor. So we start having a problem and we need the vendor to fix, they want to do it remotely, so we put in our change controls and ensure the device can only go out to the internet on a segmented network. BOOM IPS lights up blocking lets say conficker traffic trying to locate SMB shares. Luckily our network has been harden against these attacks so we are not at too much risk. We shut the things down and proceed to to investigate how it go there, we assume at the vendor since the system has not touched the internet or network until this incident.

Again some of the larger providers of these types of systems may be doing much better QC on the shipping products and checking everything, but the smaller guys may not be. Again the attack vector falls to the smaller shops with less controls in place either due to budgets or the idea that they are small who would want what they have?